Disqus Comments Embed – 403 error

Home Forums BulletProof Security Pro Disqus Comments Embed – 403 error

This topic contains 17 replies, has 3 voices, and was last updated by  Krzysztof 2 years, 1 month ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #28685

    stefano
    Participant

    Hi,
    I’ve seen that links from disqus comments are blocked (403 – forbidden). How can I get around?
    The security log says:

    [403 GET Request: 22/03/2016 - 7:18 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 82.56.112.92
    Host Name: host92-112-dynamic.56-82-r.retail.telecomitalia.it
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://disqus.com/embed/comments/?base=default&version=85ba7336856f5be9db0e468752c2dad5&f=fattoquotidiano&t_i=2571568&t_u=http%3A%2F%2Fwww.ilfattoquotidiano.it%2F2016%2F03%2F22%2Freferendum-trivelle-il-ministro-dellambiente-galletti-se-voto-voto-no-questa-consultazione-e-ideologica%2F2571568%2F&t_e=Referendum%20trivelle%2C%20il%20ministro%20dell%26%238217%3BAmbiente%20Galletti%3A%20%26%238220%3BSe%20voto%2C%20voto%20no.%20Questa%20consultazione%20%C3%A8%20ideologica%26%238221%3B&t_d=Referendum%20trivelle%2C%20il%20ministro%20dell%27Ambiente%20Galletti%3A%20%22Se%20voto%2C%20voto%20no.%20Questa%20consultazione%20%C3%A8%20ideologica%22%20-%20Il%20Fatto%20Quotidiano&t_t=Referendum%20trivelle%2C%20il%20ministro%20dell%26%238217%3BAmbiente%20Galletti%3A%20%26%238220%3BSe%20voto%2C%20voto%20no.%20Questa%20consultazione%20%C3%A8%20ideologica%26%238221%3B&s_o=default
    REQUEST_URI: /2016/03/idrocarburi-e-occupazione/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

    Thanks

    #28692

    AITpro Admin
    Keymaster

    Are you using a plugin that adds the Disqus Comment Embed code or have you added the Disqus Comment Embed code manually?  Please provide a link to either the plugin you are using or the Disqus Comment Embed code you are using.

    #28694

    stefano
    Participant

    None of that. Someone in a well known (in Italy, at least 😀 ) online newspaper put a comment linking an article of mine  http://www.ilfattoquotidiano.it/2016/03/22/referendum-trivelle-il-ministro-dellambiente-galletti-se-voto-voto-no-questa-consultazione-e-ideologica/2571568/#comment-2583481081 I can see it as a referrer in google analytics and in jetpack statistics, but clicking in the link I get a 403 page. This is not the first time links from disqus comment go to 403

    #28697

    AITpro Admin
    Keymaster

    Thanks for providing the link to your site which shows that your WordPress Theme is embedding the Disqus comment code in your website pages Source Code and linking to this Theme file:  /wp-content/themes/carrington-blog/functions/disqus.php.  I believe the block is being caused because the Disqus Comment Embed code is simulating an RFI hacking attempt against your website.  I will test the Query String and post the solution after testing.

    #28700

    stefano
    Participant

    That’s not my website. Tha’s the site of tne newspaper in wich that guy commented out with a lint to mine. Mine is http://ilcappellopensatore.it Sorry I forgot to mention mine

    #28706

    AITpro Admin
    Keymaster

    Oh ok.  Well anyway the Query String in the Security Log entry you posted is simulating an RFI hacking attempt against your website.  So the same whitelisting method will work to allow the simulated RFI hacking attempt against your website. Or another method of allowing this would probably be to allow/whitelist the disqus.com domain in your BPS root htaccess code.  I will test both whitelisting methods to see which is better to use.

    #28708

    AITpro Admin
    Keymaster

    Try this below and let me know if it works.
    [incorrect/invalid fix deleted/removed]

    #28709

    stefano
    Participant

    Unfortunately not workimg. Do you want me make an admin account?

    #28712

    AITpro Admin
    Keymaster

    Try this next and let me know if it works.
    [incorrect/invalid fix deleted/removed]

    #28713

    stefano
    Participant

    Sorry it doesn’t work

    #28714

    AITpro Admin
    Keymaster

    Ok send me an Administrator login to this site so I can figure out which BPS security filters need to be commented out to allow the Disqus link.  email to:  info at ait-pro dot com.

    #28715

    stefano
    Participant

    Thanks. Sent it to info at ait-pro.com

    #28716

    AITpro Admin
    Keymaster

    Ok the issue is fixed.  It was not an RFI security filter afterall.  I missed that the Query String had an apostrophe | single quote code character | ‘ | %27 in the Query String.

    Removed/deleted %27 from this Query String security filter below.

    Before:
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    After:
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]

    1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #28729

    stefano
    Participant

    So I understand that the problem is the Italian language and disqus that put the title of the article (instead of the url) in the referral link? 🙁

    I really thank you, anyway 🙂

    #28735

    AITpro Admin
    Keymaster

    Not really sure what options Disqus has for links and since the link is coming from another website then you probably cannot do anything about external links pointing back to your website.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.